5 Answers
5

Renaming changes the logon attributes from the installation defaults, but does not actually change the intrinsic security properties of the account (e.g. un-exposed attributes), that is why renaming is more preferable as well as safer than deleting and recreating. So Johnnie Odom's statement of "Renaming it basically turns it into another account for purposes of security." is not technically correct, but his overall position is.
–
user48838Sep 11 '10 at 22:08

To clarify my answer -- I didn't mean that renaming changes the security features from a systems standpoint, but from the perspective of a security mindset -- i.e. that renaming eliminates a comment attack vector. My note that the account has already been "configure nicely" indicates that the account's nature does not change.
–
Johnnie OdomSep 12 '10 at 2:08

Just pointing out a confusing, maybe misleading statement. The approach is sound and it was acknowledged.
–
user48838Sep 12 '10 at 8:46

1

@johnnie @user48838 - My concern was that the administrator account always used the same SID and that this could be used as part of an attack to compromise a machine rather than using the account name. I'm aware that local admin SID's always start with S-1-5- and end with -500 but the three remaining parts of the SID are large enough values and random enough that I'm happy to rename and sleep comfortably at night.
–
KevSep 12 '10 at 10:23

You'll waste your effort and (for backward compatibility) if you have any apps/services on your network that require the Admin account to function, they will break.

2. Disable the BUILTIN\Administrator.

Renaming the account to create a honey pot for attackers is an outdated practice. Any cracker good enough to get this far into your network knows this ploy already. The cracker will just look for the SID ending in -500.

3. Create an account with a non-descript name and give it admin rights.

That is, name the account "JohnBlack" or "BettyClark". Do not name the account something like Superman, Root, Skywalker, or anything with Admin or ADM in it like testadm or LocalAdmin. Programs that still look for the Admin account by name have evolved enough to check for these names too.

4. After you've created the account in step 3, NEVER USE IT!

You can't audit Admin access, if you're using it as a regular account (aside from all the other reasons not to use it).

Renaming the account is the best bet because you are going to require some sort of local admin account, and the one that ships has already been set up and configured nicely to run the system. Renaming it basically turns it into another account for purposes of security.

It changes the name, but not the SID, so I'm not sure it's a real win. The alternative is to rename the administrator account and disable it, then rename the guest account to "Administrator".
–
Steven SuditSep 12 '10 at 3:53

Some folks like Steven Sudit's approach to catch "stupid wanabes..." It creates a mini "honey pot" which may lead to idiots who think they are "hacking away" at something meaningful.
–
user48838Sep 12 '10 at 8:41

@Steven - as I said above, I'm aware that local admin SID's always start with S-1-5- and end with -500 but the three remaining parts of the SID are large enough values and random enough that I'm happy to rename and sleep comfortably at night.
–
KevSep 12 '10 at 10:26

I've come across both recommendations. In my last job we disabled local admin accounts on machines that were on the Active Directory domain.

I'd personally recommend disabling it and creating a new administrative user account. That way if there are any problems with the user profile you still have an administrative account you can fall back on.

Assuming you can get back in to re-enable it...
–
user48838Sep 12 '10 at 8:42

1

Very true, but there are free boot disk type tools you can use to re-enable it.
–
chunkyb2002Sep 12 '10 at 18:24

Wouldn't that get you back into the possibly faulty "administrator" account or the one that has been disabled???
–
user48838Sep 12 '10 at 22:44

The tool I'm most familiar with thought not free (Passware's Windows Key Pro) will let you choose any account on the systems to enable and reset the password. There are a number of free apps out there with similar functionality.
–
chunkyb2002Sep 13 '10 at 3:02

msdart will hack the password just fine. just disable and cache the credentials.
–
tony rothJun 1 '12 at 19:46